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Abstract — In-network data aggregation is an essential tech- 
nique in mission critical wireless sensor networks (WSNs) for 
achieving effective transmission and hence better power conserva- 
tion. Common security protocols for aggregated WSNs are either 
hop-by-hop or end-to-end, each of which has its own encryption 
schemes considering different security primitives. End-to-end 
encrypted data aggregation protocols introduce maximum data 
secrecy with in-efficient data aggregation and more vulnerability 
to active attacks, while hop-by-hop data aggregation protocols 
introduce maximum data integrity with efficient data aggregation 
and more vulnerability to passive attacks. 

In this paper, we propose a secure aggregation protocol for 
aggregated WSNs deployed in hostile environments in which 
dual attack modes are present. Our proposed protocol is a 
blend of flexible data aggregation as in hop-by-hop protocols 
and optimal data confidentiality as in end-to-end protocols. Our 
protocol introduces an efficient O(l) heuristic for checking data 
integrity along with cost-effective heuristic-based divide and 
conquer attestation process which is O(lnn) in average -O(n) in 
the worst scenario- for further verification of aggregated results. 

I. Introduction 

A wireless sensor network is usually a collection of hun- 
dreds or thousands of resource-constrained devices with small 
memories, low bandwidth and limited power resources. They 
are deployed in fields where persistent human monitoring and 
surveillance are either impossible or infeasible. These small 
detectors can be used to sense events ranging from simple 
readings (e.g. sensing room temperature) to more important 
and sensitive measures (e.g. intruder detection in military 
applications, detecting wildfire or signs of any catastrophic 
phenomena). Raw data collected using these limited sensors 
are usually queried by a more powerful device called base 
station (BS) -which may be far away from sensing fields- for 
further analysis and event-based reactions [16]. 

Since wireless sensor networks are energy constrained and 
bandwidth limited, reducing communications between sensors 
and base stations has a significant effect on power conservation 
and bandwidth utilization [7]. Aggregated sensor networks 
serve this purpose by introducing designated nodes called 
aggregators that provide efficient data collection and transmis- 
sion. An aggregator can sense its own data while aggregating 
received results from children nodes, which in turn may be 
leaf sensors or aggregators as well. 

Aggregated wireless sensor networks provide better power 
conservation and efficient use of communication channels but 



introduce additional security concerns. A passive adversary 
may capture sensitive results of aggregated data that represents 
a large partition of the aggregated WSN if the key of the root 
aggregator of that partition is compromised. On the other hand, 
an active adversary can forge aggregated data of a partition by 
compromising the parent node of that partition. Many security 
protocols for aggregated WSNs were introduced to solve these 
security problems. These security protocols can be classified 
according to their underlying encryption schemes into end-to- 
end and hop-by-hop secure data aggregation protocols. 

The paper is organized as follows. In Section HU we present 
previous work on secure aggregation on WSNs and we define 
our problem. In Section [HI] we present our network model 
and its design goals, along with attacker model. In Sections llVl 
and[V] we demonstrate our security protocol and provide anal- 
ysis of its complexity. The paper is concluded in Section PVIIII 

II. Related Work 

In this section, we give a short background on previous work 
of secure aggregation protocols in WSNs, which are classified 
as end-to-end and hop-by-hop. 

In end-to-end encryption schemes [1], [4], [10], [15], in- 
termediate aggregators apply some aggregation functions on 
encrypted data which they can't decrypt. This is because these 
intermediate aggregators don't have access to the keys that 
are only shared between data originators (usually leaf sensor 
nodes) and the BS. In CDA [4] sensor nodes share a common 
symmetric key with the BS that is kept hidden from middle- 
way aggregators. In [1] each leaf sensor share a distinct long- 
term key with the BS. This key is originally derived from the 
master secret only known to the BS. These protocols show that 
aggregation of end-to-end encrypted data is possible through 
using additive Privacy Homomorphism (PH) as the underlying 
encryption scheme. Although these protocols are supposed to 
provide maximum data secrecy across the paths between leaf 
sensor nodes and their sink, overall secrecy resilience of a 
WSN becomes in danger if an adversary gains access to the 
master key in [1], or compromises only a single leaf sensor 
node in CDA to acquire the common symmetric key shared 
between all leaf nodes. 

In [10], [15] public key encryption based on elliptic curves 
is used to conceal transient data from leaf sensors to the BS. 
These schemes enhance secrecy resilience of WSNs against 
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individual sensor attacks, since compromising a single or a 
set of sensor nodes won't reveal the decryption key that only 
the BS knows. An attracting feature of [10] is the introduc- 
tion of data integrity in end-to-end encrypted WSNs through 
Merkle hash trees of Message Authentication Codes (MACs). 
However, both schemes raise power consumption concerns, 
since computation requirements for public key encryption is 
still considered high for WSNs [12]. 

Many hop-by-hop aggregation protocols in WSNs like [3], 
[6], [9], [13], [17], provide more efficient aggregation opera- 
tions and highly consider data integrity. However, since sensed 
data being passed to non-leaf aggregators are revealed for 
the sake of middle-way aggregation, hop-by-hop aggregation 
protocols represent weaker model of data confidentiality per- 
spective than end-to-end aggregation protocols. Data secrecy 
can be revoked of a partition if a passive adversary has 
obtained the key of the root aggregator of that partition. 

A. Problem Statement 

The challenge is to find a general security protocol for 
aggregated WSNs that is not limited to certain topology 
and provides strong data confidentiality comparable to those 
in secure end-to-end communication protocols. Also, it can 
provide efficient data aggregation and integrity comparable 
to those in hop-by-hop aggregation, taking into account the 
presence of active and passive adversaries. So, when some 
nodes of the aggregated WSN are physically compromised, 
compromiser must not gain more information or have influence 
on aggregated results beyond the effects of its compromised 
nodes. For these purposes, we propose our security protocol 
that provides end-to-end data concealment using data diffu- 
sion, and in the same time, it provides secure and flexible hop- 
by-hop aggregation with efficient data integrity test followed 
by attestation process when forged data are detected in order 
to eliminate and exclude contributions of any compromised 
nodes that might be the source of the forged data. 



III. System Model 



A. Notations 



We use the following notations to describe our protocol: 

• BS refers to the Base Station. 

• S = {Si, S2, ■ ■ ■ , S n } represents the set of sen- 
sor/aggregator nodes in the WSN. Since in our model 
sensors have the aggregation capabilities, the term sensor 
will be used to refer to a sensor that aggregates as well. 

• ID Si refers to the node ID of sensor node Si. 

• KSi,Sj denotes a pairwise symmetric key between node 
Si and node Sj. Ks t and K s are two pairwise symmetric 
keys of node Si shared with the BS, and /C is a set of all 
keys. 

• niSi denotes a sensed data read by sensor Si. mj; is a 
bounded real value, i.e. mg,. G D = [u, v] for maximum 
and minimum sensible values v and u, respectively. 

• EncK{m) denotes an encryption of a message m using 
a key K. 
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Fig. 1. Network Model (Aggregated WSN). 



• MACiKsn m Si) denotes a message authentication code 
of that is sensed by sensor Si, this code is generated 
using the symmetric key Ks t that is shared between Si 
and the BS. 

• Fjr(m) refers to a diffusion algorithm that is a public 
knowledge in the WSN. It takes as input a key K and a 
data m, the result is a diffused value D £ [u, v\. 

• Si — * Sj represents a one (or more) hop communication 
from sensor node Si to Sj. 

B. Network Model 

We assume a general aggregated multi-hop WSN consisting 
of a large collection of resource-constrained sensor/aggregator 
nodes (MICA motes [5] for example) connected in a tree 
topology rooted at a powerful node called the Base Station 
(BS). An illustration of this model is depicted in Fig. Q] We 
don't impose any restrictions on the topology as long as it 
is a connected tree rooted at the BS. We don't require a 
specific aggregation tree construction algorithm, any efficient 
tree construction algorithm like TaG [8] can be used in our 
model. The BS may initially issue aggregation queries or it 
may be connected to an off-network distant querier which is in 
this case considered data consumer, and the BS is considered 
its query server. Aggregation queries represents the union of 
all sensor readings along the paths of the WSN to its root, i.e. 
the BS. 

We assume that every sensor node Si is deployed with two 
unique symmetric keys K s t and K s shared with the BS, using 
a secure key deployment protocol, like MIB [11]. A secure 
broadcast authentication protocol is assumed for authenticating 
messages, an example of such protocol is /jTESLA [12]. Se- 
cure key distribution between adjacent nodes is also assumed, 
some can be found in [2]. 

C. Attacker Model 

We assume a dual operational mode adversary (both passive 
and active) who is interested in revealing in-network data 
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secrecy and injecting forged data. In our model, we consider 
effective attacks, where an adversary physically compromises 
k <C n nodes to gain the advantage that would result of 
attacking m nodes where k < m < n without the need 
of attempting such attack on these m nodes directly. That 
is, with few compromised nodes, an adversary can endanger 
the security of an aggregated WSN as if it had physically 
compromised much larger collection of nodes. When we 
denote a node as being physically compromised, we mean that 
an adversary gained control over the node's operation, having 
access to all its memory, keys, and resources, and is capable 
to reprogram such a compromised node with attacking code. 
Attacker is not limited to a single place, it can compromise 
scattered partitions of nodes in which every partition may have 
nodes in parent/children relationship. 

In this work, we don't consider preventing attacks that 
disrupt the regular operation of a WSN such as denial- 
of-service (DoS) attack [14] or underlying routing protocol 
attacks. We are interested in preventing attacks that aim to 
acquire aggregation results or tamper them rather than attacks 
that aim to prevent a querier from being served. 

D. Design Goals 

We designed our protocol to protect against spy-out and 
false data injection attacks, for that, we considered the fol- 
lowing security perspectives: 

• Resilience: An adversary who compromises few nodes of 
an aggregated WSN must not spy-out or gain any impact 
on the final aggregation outcome beyond the influence of 
the readings and results of its compromised nodes. 

• Efficient Data Integrity, Commitment and Attestation: 
Aggregation result must be verified to be the authentic 
union of sensor readings and intermediate results. Such 
verification and attestation processes should not impose 
significant overhead over the WSN that is over aggrega- 
tion communication overhead. 

• Generality: The protocol should apply to any aggregated 
WSN with arbitrary tree topology, moreover, the proto- 
col should support expandable WSNs without any extra 
reconfiguration. 

• Status Monitoring: BS must determine when a sensor 
node becomes dead or unreachable, by knowing and 
maintaining a list of all nodes contributed in every 
aggregation query. 

IV. Efficient and Secure Data Aggregation 
Protocol 

In this section, we present our proposed protocol that 
resolves the compromise between data secrecy and efficient 
aggregation. An overview of the protocol will be presented 
first, then it will be followed by discussing the protocol details. 

A. Overview 

Our protocol is designed over the approach of data diffusion 
that preserves the mathematical relationships between different 
values which are all bounded by a defined range. By preserving 



mathematical relationships we can perform efficient hop-by- 
hop aggregation of collected diffused data. The information 
of these mathematical relationships are kept concealed end-to- 
end to maintain complete communication path secrecy. Beside 
maintaining the mathematical relationships, the diffusion algo- 
rithm must not increase the size of encrypted data. Based on 
this, we can achieve efficient secure hop-by-hop aggregation 
of end-to-end concealed data in aggregated WSNs. 

B. Network Setup and Query Dissemination 

After field deployment, communication paths should be 
established. An efficient algorithm like TaG [8] can be used 
for tree topology construction. Communication channels are 
secured using pairwise encryption keys between every par- 
ent/children nodes, this is the same technique used in many 
hop-by-hop protocols (e.g. [17]) for securing communication 
channels. 

After tree construction, every sensor node Si sends its IDgi 
and an initial random reading m? G [u, v] to the BS in a 
message encrypted using pairwise symmetric key Ks i . The 
initial random reading serves in data diffusion algorithm 
as we will see later. 

When the BS receives a query from a querier, it disseminates 
this query through the WSN paths. This query contains the 
desired aggregation function to be performed. 

C. Data Diffusion 

The purpose of the data diffusion process is to consolidate 
transient data from intermediate aggregators while giving them 
flexibility and efficiency while applying aggregation functions 
on these concealed data. Data diffusion serves also in data 
integrity check as we will see later. Every sensor node diffuses 
its sensed data before transmission. Middle-way aggregation 
of diffused data occurs before the final result reaches the BS, 
which is the only one who can revert diffused result to its 
actual value. 

Assume S = {Si, S2, ■ ■ ■ , S„} be the set of sensor nodes 
and every node Si reads a value ms i . Every sensor node Si 
uses a diffusion function ^(msj, using the keys Ks ( and 
K' s to generate a pair of diffused data, where Ks^Kg are 
two shared keys between Si and the base station (BS). We 
define the diffusion function Fk s . (tns'i) as follows: 

Definition 1: Assume PS : T> x JC — > T> be a public 
generator map (i.e., one way function) to produce 

D^PSiKs^D^r) (1) 

where Dj 6 V, Dq = mP s ., and Ks t S IC for j > 1 and 
1 < i < n. Let F : V x V — > T> be a diffusion function 
defined as 

F KSi KJ = PSiKs^Dj^) 774, (2) 

The value of the generator sequence PS is taken as an 
input along with the sensed reading nvg. to the mathematical 
operand which generates a diffused value Fk 3 . (m s .) € T>. 
There is no strict definition of operand 0, it refers to any 
reversible operation that takes two inputs and produces an 
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Fig. 2. An example of an aggregated WSN tree. 



output that belongs to V. Examples of could vary between 
trivial operators such as simple addition "+" to more complex 
bijection functions. Dj is generated symmetrically to Dj, but 
using key K s , instead of Ks^ 

Since the BS shares the private key Ks t and initial random 
reading m s . of every sensor node Si, the BS is able to 
generate the diffusion value of every transmission phase. 



This means that the BS can revert every diffused reading D° 
sent by a sensor Si in the WSN to its actual value. 



Si 



V. The SUA! Aggregation 

In this section, we propose the SUM aggregation func- 
tion in our secure aggregation protocol. The algorithm that 
performs the SUM aggregation SumAgg is illustrated in 
algorithm Q] When the BS receives a query of SUM aggre- 
gation function, it broadcasts this request through the WSN. 
Whenever a sensor node gets this request, it passes such a 
request to its children nodes, this goes on until reaching leaf 
level. A leaf sensor node receiving this request will send its 
diffused reading to its parent. For illustration purposes, let 
us consider the network in Fig. [2] Leaf sensor X sends the 
following packet to its immediate parent W: 



X — >W : ID x ,IVx,w,Enc Kxw [F Kx (rn x ), 

F K > x (mx)),MAC x (3) 

where 



MAC X = MAC(Kx,F Kx (mx)\\F K , (m x ) 



(4) 



As we can see, node X sends its IDx and an encrypted pair 
of its diffused sensed data mx to its parent W. X also sends 
a pairwise counter IVx,w to protect against replay attacks. 
Finally, X sends a MAC of its reading using its private key and 
attach it at the end of the packet for authentication purposes 
as we shall see later. 

The sensor node W receives similar packets from its other 
children, i.e. Y and Z. Now W needs to aggregate data 
received from its children along with its own sensed data mw- 
This is done through applying the SUM aggregation function 



Input: A WSN with set S of n nodes and BS. 
Output: SU M aggregation result. 

BS broadcasts SUM aggregation query in the WSN 
for \/S t eSdo 
list Si = {ID St } 
Sense ms ( 

DSUM Si = F KSi (m Si ) 
DSUM' s . = F K >*(m Si ) 
for VSj that is an immediate child of Si do 

DSUM Si = DSUM Si + DSUM S . 

DSUMg. = DSUM'g. + DSUM' S . 

lists, = lists, U lists j 
end for 
end for 

BS sums aggregation of its immediate children nodes. 

if IPET check for final aggregation result in the BS passes 

then 

return SUM 
else 

Call ComAtt /*Commitment and Attestation Algo.*/ 
end if 

Algorithm 1: SumAgg: SUM Aggregation Algorithm 



as we can see in the following packet that W sends to its 
parent G: 

W — ► G : listw, IVw,g, EncK WiG ( ^ F K Si ( m Si), 
F K , s (m Si )),MAC w (5) 

Si -' 

where 



MAC W = MAC(K W , FK St (ms,)\\ £ f k' s , ( m s>)) 

Si^listw SiGlistw 

®MAC X © MAC Y © MAC Z (6) 

Here listw represents the list of all IDs of the children of 
W who contributed in the aggregation, including IDw- As 
we can see, W sends its IDw and IDs of all its children 
who contributed in the aggregation, and the aggregated SU M 
of their data. As shown above, W sums all pairs of data 
in order, i.e. all first elements of every pair are summed 
together, the same thing happens to second elements of all 
pairs. This scenario continues until the BS receives from every 
immediate child a packet that contains the IDs of all nodes 
participated in the SU M aggregation on the partition rooted 
by that child, along with its diffused aggregation pair. The BS 
then computes the final aggregation pair (DSU M, DSUM ) 
of diffused summation: 



(DSUM,DSUM')=i K J2 F K,(ms I ),J2 F K'i m s,)Y^ 
where 



list* = listn U . . . U lista U . . . U UstQ 



(8) 
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The actual values of this diffused pair (DSUM,DSUM') 
should refer to the same output, but since they are diffused 
differently, they look different. Because the BS knows 
and K s . for every node Si, the BS is able to generate the 
diffusion values that every node contributed in the aggre- 
gation has used to diffuse its reading, the BS can revert 
the pair (DSUM, DSUM') to their actual values. This is 
done by finding the summations of all diffusion values that 
were applied along the path of aggregation, and using these 
summations when applying the reverse diffusion function on 
counter parts results DSUM and DSUM': 

(SUM, SUM') = (dSUMQ Di > 

i£list* 

DSUM'q D i) ( 9 ) 

Here, the operand refers to the reverse of the diffusion 
operation. Now the BS revealed the actual result of SUM 
and SUM aggregation, it needs to check the integrity of this 
result. The BS checks the equality of reverted pair SU M and 
SUM , if they are equal then the aggregation result is accepted 
(unless the BS doubts it), otherwise the result is rejected and 
attestation process will start to detect the path and the source 
of the outliers as explained in Section [VT] 

The test that uses equation [9] then checks the equality of 
resulted pair is called Identical Pair Equality Test (IPET). IPET 
is an 0(1) heuristic that gives us a quick initial indication 
about the integrity of the aggregation result. 

Lemma 2: The complexity of SumAgg algorithm with data 
diffusion is 0(nln(n)) on average, and the BS needs O(l) to 
verify the integrity of the final aggregation result. 
Other aggregation functions like MEAN and MAX can be 
derived from above description of SUM aggregation with 
slight modifications. 

VI. Commitment and Attestation 

In this section we turn our attention to verifying sensor's 
commitments of aggregation, and attestation for finding outlier 
or compromised nodes. Note that we don't consider detecting 
the case where a compromised node tries to forge its own 
data, this is because such a situation is hard to detect if 
forged data belongs to normal data range and this resembles 
node malfunction. In contrast, we are interested in detecting 
compromised nodes that are trying to forge aggregation data 
of their non-compromised children. The divide and conquer 
algorithm for commitment and attestation ComAtt is presented 
in algorithm [2] this algorithm uses IPET check as a heuristic 
to reconstruct only those branches of the network MAC 
tree which are necessary for the attestation process, avoiding 
unnecessary reconstruction of the whole MAC tree of the 
WSN. When the BS discovers that the final aggregation result 
fails the IPET check, it starts the attestation process by adding 
its immediate children who contributed in the aggregation to 
the set Q -which is the set containing nodes to be tested- 
for verification. For every node Si £ Q, the BS checks Si 
as follows. The BS asks from every node Si £ Q to resend 



Input: list* (list of IDs of all nodes contributed in an 
aggregation), MACAgg (MAC of final 
aggregation result) 

Output: listL (list of IDs of outliers) 

list L = 0, listc = 

Q — {Si : VSi £ list* A Si is immediate children of BS} 
while Q / do 

Pick a node Si from Q 

S, — > BS : list Si ,IV Si , (DSUM Si ,DSUM' s .),MAC Si 
MACsf c = Reconstructed MACs, in BS using collected 
data and MACAgg 

if MAC<if c MAC Si OR IPET check of Si packet fails 
then 

if Si is not committed to its previous aggregation packet 
then 

listc = listc U Si 
end if 

listL = listL U Si 

Q — Q U {Sj : VSj £ list, A Sj is immediate children of 

S t } 
end if 
Q = Q-S l 
end while 

for VSi £ listL — listc do 
listg. = (UstSi — listL) U Si 
Si -A BS : 
Ust s . , lv s t , 

(£ 3 W Sj ^K)>£^ F K ,( mj )),MAC Si 
if IPET check of aggregation pair of Si passes then 

listL = listL — Si 
end if 
end for 

RETURN list L 

Algorithm 2: ComAtt: Commitment and Attestation Algo. 



its aggregation packet. The BS then checks the commitment 
of Si by constructing its authentication code MACg alc with 
the help of the final aggregation result authentication code 
MACAgg and collected data. If MACgf c is identical to 
MAC s t , then the BS knows that Si is committed to its 
previously sent aggregation packet. If Si is committed and 
its aggregation pair passes the IPET check then it is assumed 
honest -unless the BS doubts its result as we shall see later- 
and its descendants will be excluded from further verifications. 
On the other hand, if Si appeared not to be committed to 
its previously sent aggregation, or its aggregation pair fails 
the IPET test, then Si is added to the list of outliers listL, 
and every children Sj of Si is added to the set Q for further 
investigation. For the case when commitment test of Si fails, 
Si is also added to the list of not committed nodes listc- 

After processing all nodes in Q, listL will be having 
suspected nodes that either not committed or failed the IPET 
check. Non-committed nodes in listL are directly considered 
dishonest or compromised without any further investigation. 
However, it might be the case that an honest committed node 
in listL failed the IPET check because one or more of its 
children were compromised. We need to eliminate such honest 
nodes from listL, this is done by further investigation of 
committed nodes that fail IPET check, i.e. Si £ listL — listc- 
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For every such node Si, the BS requests a new aggregation 
of Si that excludes data from any node Sj G list^, that 
is, the BS is giving Si a chance to prove its honesty by 
finding the aggregation of its only honest children. If the new 
aggregation of Si passes the IPET check, then Si is removed 
from listi, otherwise, it is kept there. Finally, the ComAtt 
algorithm returns UstL that contains the set of outliers or 
compromised nodes. 

Lemma 3: The commitment process in ComAtt algorithm 
is 0(c\nn) in average for some constant c, and 0(n) in the 
worst case. 

Proof: The proof is a direct consequence from the bi- 
nary tree search algorithm, considering the height (depth) of 
aggregation equals In n in average ■ 

VII. Security Analysis 

In this section, we show how our security protocol could be 
compared to hop-by-hop and end-to-end protocols in terms of 
security level and efficiency of data integrity check. 

A. Node Attacks 

We consider the logical hypothesis that a node Si is attacked 
by an intruder (attacker) I. This attacker / can gain access to 
all information of this node including Ks it listsf and ms ; . In 
this case, it can alter the message ms 4 to mi and encrypt it 
using the key Ks v We show that the only influence such an 
attacker can have on final aggregation result is sending forged 
aggregation of attacked nodes. If the attacker attempts to 
change the aggregation values of its children without knowing 
their dual diffusion seeds, then this attempt will be quickly 
caught by the IPET test. So, an attacker in this case won't 
be able to forge its aggregation except by changing its own 
reading m; and aggregations of its children which their dual 
diffusion seeds are known to the attacker. That is, if an attacker 
wants to forge the aggregation of n nodes and not get caught 
by IPET, then this attacker must compromise or acquire private 
data of n nodes. 

Lemma 4: Our aggregation protocol represents a security 
model against spy-out attacks that is better or at least as good 
as hop-by-hop aggregation protocols. 

Proof: Our protocol has an advantage over hop-by-hop 
protocols because of transient data diffusion. Only when a 
passive adversary succeeds in breaking the diffused data of all 
children of a hop, our protocol becomes vulnerable to spy-out 
attacks as any other hop-by-hop protocol. ■ 

Lemma 5: Our protocol performs either more efficient or at 
least as good as end-to-end aggregation protocols in checking 
data integrity. 

Proof: In our protocol, we use IPET heuristic to recon- 
struct the only necessary branches of the MAC tree for testing 
data integrity. In the worst case, we will need to reconstruct the 
whole MAC tree, which is the case in end-to-end protocols. 



VIII. Conclusions 

In this paper, we demonstrated a model for secure data 
aggregation in WSNs, which is a blend of hop-by-hop opera- 
tional efficiency and end-to-end data secrecy. We showed that 
this model has low computational complexity and the BS uses 
0(1) heuristic to verify final aggregation result of sensed data 
and it needs O(lnn) in average to detect an attacked node. 
We plan to perform simulation and further security analysis 
of this model in our future work. 
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